Privacy Policy

We are smmhub. We sell engagement campaigns and a developer API. To do that we have to collect a small, well-defined set of personal data — mostly your email, your wallet activity, and the public links you submit with each order.

We don't sell your data, ever. We don't run third-party advertising trackers on the dashboard. We use cookies for things that genuinely require them (login, theme preference, wallet balance) and analytics that you can decline.

For data submitted through smmhub.io, smmhub Ltd. is the data controller. You can reach our privacy team at privacy@smmhub.io or through /contact.

We collect the following categories of personal data:

• ›Account data — email, hashed password, optional Telegram handle, country, language preference, time zone.
• ›Order data — service IDs, target links, quantities, timestamps, cost in your wallet currency, optional notes.
• ›Wallet data — top-up amounts, payment method type (we never store full card numbers — those live with our PCI-DSS-compliant gateway), promo codes redeemed.
• ›Technical data — IP address, browser/device fingerprint, language headers, timestamps. Used for fraud prevention and to keep your session secure.
• ›Support data — anything you send us in tickets, contact forms, or Telegram.

We process the data above to:

• ›Provide the Service — deliver orders, charge your wallet, send refill notifications, surface stats.
• ›Keep you safe — detect account compromise, block fraud, satisfy AML / KYC requests when payment processors require them.
• ›Improve the product — anonymous usage analytics power the dashboards we use to prioritise the roadmap. You can opt out of analytics from the cookie banner.
• ›Communicate — operational emails (receipts, refill notices, incident updates) and, if you opted in, occasional product news.
• ›Comply with law — respond to lawful requests from competent authorities, retain transactional records for the period required by tax law.

Performance of contract — for the data needed to deliver your orders, run the wallet, and respond to support requests.

Legitimate interest — for fraud prevention, security logging, and aggregated product analytics.

Consent — for optional analytics, optional marketing emails, and optional regional marketing channels.

Legal obligation — for tax records, AML reporting, and lawful authority requests.

We share data only with sub-processors that are necessary to run the Service, under written data-processing agreements:

• ›Payment gateways (Stripe, Coinbase Commerce, NowPayments, regional rails) — only the data they need to charge you.
• ›Cloud infrastructure (AWS, Cloudflare) — encrypted-at-rest storage and DDoS protection.
• ›Email delivery (Postmark) — operational and marketing email rendering.
• ›Customer support tooling (Plain) — the contents of tickets you create.

Account & order data: while your account is active, plus 12 months after closure for fraud prevention. Tax records (invoices, refunds): 7 years where local law requires it.

Server access logs: 30 days. Anonymised analytics: indefinitely. Support tickets: 24 months after the last reply.

Depending on your jurisdiction (GDPR / UK GDPR / CCPA / LGPD / etc.) you may have the right to:

• ›Access — get a copy of the personal data we hold about you.
• ›Rectification — correct anything inaccurate.
• ›Erasure — delete your account and personal data, subject to retention obligations.
• ›Portability — export your data in a machine-readable format.
• ›Restrict / object — pause certain processing activities.
• ›Withdraw consent — opt out of analytics or marketing at any time.

We use strictly-necessary cookies (session, CSRF, theme), preference cookies (currency, time zone, date format), and optional analytics cookies that are off until you accept them in the banner. We do not run third-party advertising cookies.

Our infrastructure is hosted in the EU. When data crosses borders for a sub-processor (e.g., a US payment gateway), we use Standard Contractual Clauses and additional safeguards required by EU and UK regulators.

TLS 1.3 in transit, AES-256 at rest. Passwords are hashed with Argon2id. API keys are stored hashed and shown once at creation. Production access is gated by hardware-key 2FA, scoped IAM, and audit logging.

If we ever experience a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as the law requires.

The Service is not intended for users under 18. We do not knowingly process personal data of children. If you believe a minor has signed up, contact us and we will remove the account.

When we change something material we will email account holders at least 14 days before the new policy takes effect. The dated history of this document is available on request.